Oracle Cloud

Run a persistent OpenClaw Gateway on Oracle Cloud's Always Free ARM tier (up to 4 OCPU, 24 GB RAM, 200 GB storage) at no cost.

Prerequisites

• Oracle Cloud account (signup) -- see community signup guide if you hit issues
• Tailscale account (free at tailscale.com)
• An SSH key pair
• About 30 minutes

Setup

ssh ubuntu@YOUR_PUBLIC_IP sudo apt update && sudo apt upgrade -ysudo apt install -y build-essential

sudo hostnamectl set-hostname openclawsudo passwd ubuntusudo loginctl enable-linger ubuntu

curl -fsSL https://tailscale.com/install.sh | shsudo tailscale up --ssh --hostname=openclaw

curl -fsSL https://openclaw.ai/install.sh | bashsource ~/.bashrc

openclaw config set gateway.bind loopbackopenclaw config set gateway.auth.mode tokenopenclaw doctor --generate-gateway-tokenopenclaw config set gateway.tailscale.mode serveopenclaw config set gateway.trustedProxies '["127.0.0.1"]' systemctl --user restart openclaw-gateway.service

openclaw --versionsystemctl --user status openclaw-gateway.servicetailscale serve statuscurl http://localhost:18789

https://openclaw.<tailnet-name>.ts.net/

Verify the security posture

With the VCN locked down (only UDP 41641 open) and the Gateway bound to loopback, public traffic is blocked at the network edge and admin access is tailnet-only. That removes the need for several traditional VPS hardening steps:

Still recommended:

• chmod 700 ~/.openclaw to restrict credential file permissions.
• openclaw security audit for an OpenClaw-specific posture check.
• Regular sudo apt update && sudo apt upgrade for OS patches.
• Review devices in the Tailscale admin console periodically.

Quick verification commands:

# Confirm no public ports are listeningsudo ss -tlnp | grep -v '127.0.0.1\|::1' # Verify Tailscale SSH is activetailscale status | grep -q 'offers: ssh' && echo "Tailscale SSH active" # Optional: disable sshd entirely once Tailscale SSH is confirmed workingsudo systemctl disable --now ssh

ARM notes

The Always Free tier is ARM (aarch64). Most OpenClaw features work fine; a small number of native binaries need ARM builds:

• Node.js, Telegram, WhatsApp (Baileys): pure JavaScript, no issues.
• Most npm packages with native code: pre-built linux-arm64 artifacts available.
• Optional CLI helpers (e.g. Go/Rust binaries shipped by skills): check for an aarch64 / linux-arm64 release before installing.

Verify the architecture with uname -m (should print aarch64). For binaries without an ARM build, install from source or skip them.

Persistence and backups

OpenClaw state lives under:

• ~/.openclaw/ — openclaw.json, per-agent auth-profiles.json, channel/provider state, and session data.
• ~/.openclaw/workspace/ — the agent workspace (SOUL.md, memory, artifacts).

These survive reboots. To take a portable snapshot:

openclaw backup create

Fallback: SSH tunnel

If Tailscale Serve is not working, use an SSH tunnel from your local machine:

ssh -L 18789:127.0.0.1:18789 ubuntu@openclaw

Then open http://localhost:18789.

Troubleshooting

Instance creation fails ("Out of capacity") -- Free tier ARM instances are popular. Try a different availability domain or retry during off-peak hours.

Tailscale will not connect -- Run sudo tailscale up --ssh --hostname=openclaw --reset to re-authenticate.

Gateway will not start -- Run openclaw doctor --non-interactive and check logs with journalctl --user -u openclaw-gateway.service -n 50.

ARM binary issues -- Most npm packages work on ARM64. For native binaries, look for linux-arm64 or aarch64 releases. Verify architecture with uname -m.

Next steps

• Channels -- connect Telegram, WhatsApp, Discord, and more
• Gateway configuration -- all config options
• Updating -- keep OpenClaw up to date

Related

• Install overview
• GCP
• VPS hosting